On a website I am building, I plan to log the IP addresses of submissions, just in case it's necessary. I don't mind proxies, but outright spoofing your IP address would defeat the purpose.

To perform a complete GET action, (regardless of whether you receive or whether it went through or not) is a legitimate IP address required? Or a website be spammed with posts from random spoofed IP addresses?

Another approach is that taken by DuckDuckGo: they don't track IP addresses, just in case they're asked for them. See their privacy policy at duckduckgo.com/privacy.html#s3. You say "just in case it's necessary" -- do you have good ideas why it might be necessary?
–
Randy OrrisonApr 25 '12 at 17:47

4 Answers
4

If you're taking the address from the IP packets themselves, then you can trust that whoever sent the packets has access to packets sent to that IP address. That may mean that it's a legitimate user of that IP address (for appropriately limited values of the word "legitimate", in this age of botnets, open proxies, and Tor), or that whoever sent the packets has access to an intermediate system and can see the packets you're sending as they go past.

However, with the wide prevalence of reverse proxies, the IP packet can often misrepresent the source of the connection, and so various HTTP headers have been introduced to allow the "actual" origin IP address to be provided by the proxy. The problem here is that you have to trust whoever's sending the header to provide accurate information. Also, default (or misguided copy-pasta'd) configs can easily leave you open to spoofing of those headers. Hence, you have to identify whether any reverse proxies are legitimately involved in your requests, and ensure they (and your webserver) are properly configured and secured.

TCP connections (which HTTP uses) require bi-directional communication. While you can spoof the source IP of a SYN packet easily, the SYN-ACK response from the server will be routed to the IP that you spoofed in the initial packet - you'll be unable to complete the connection unless you can see the response from the server.

However, anonymous proxying tools like Tor can provide a means to anonymize the source of a connection easily - keep in mind that this can defeat spam control by IP banning easily.

In the past computers were very predictable in the sequence numbers for TCP traffic. That means an attacker would just send legitimate traffic till it figured out the sequence numbers and could make a pretty good guess at what would come next. Then it would send the TCP traffic to mimic a spoofed IP address and the host on the other end would believe. So you could fake the three-way handshake.

Today and I'd say 10+ years.. computers are a lot better at randomizing that so it's pretty hard to if not impossible. It would be a waste of time in my opinion for an attacker to do that.

HTTP runs over TCP. In order for TCP to work, you need the full 3-way SYN/ACK handshake before you get far enough to issue a GET or POST request, so a simple spoofed source won't do much. Other more advanced forms of spoofing (MitM) would still be effective.